A Complete Guide to eIDAS
The European Union established eIDAS to regulate the use of digital identities by consumers and make it easier for businesses to conduct international transactions. We’ve created this guide to help people understand more about eIDAS and its business and legal impacts.
What is eIDAS?
The Electric Identification, Authentication, and Trust Services EU regulation ensures there are updated, internationally accessible standards in place for the use of digital identities along with trust verification and validation. That way, there is confidence in the security of any online transactions used in business or to access public services. While eIDAS mandates compliance from all government services, private business have no obligation to comply with the eID standard.
Primary eIDAS Regulations
Under the guidance of eIDAS, citizens of and business operating in the EU use national electronic identification schemes (eIDS) numbers to access public services in other EU member states that make use of them. eIDAS outlines how member states must implement eIDS for EU citizens. Each state must recognize the eID of others.
The other major component of eIDAS legislation is the creation of a single digital market for using Electronic Trust Services (eTS) and ensuring the security of electronic transactions.
Covered eTS include:
- Electronic signatures
- Electronic seals
- Time stamps
- Electronic registered delivery services
- Website authentication
The eIDAS standards work to ensure that all eTS work across EU borders and receive the same legal status as paper processes. They also encourage transparency around the use of different trust services in online transactions. Putting the regulations in place reinforces confidence in the reliability and security of digital transactions.
What Led to the Enactment of eIDAS?
The EU began recognizing that online transactions would become the standard for future generations. That led to the establishment of the Digital Agenda by the European Commission. The emergence of more digital technology led to the desire from the EU to encourage digital growth and drive more innovation. To that end, they felt the need to encourage businesses to elevate their current levels of information security.
What Are Some Benefits of eIDAS?
One of the major benefits of eIDAS is how it ensures that eSignatures receive the same legal recognition as written signatures. It identifies three different levels of electronic signatures in online transactions.
A basic electronic signature used by a signer to show approval or acceptance of the terms outlined in a form or other document.
Advanced Electronic Signature (AdES)
These electronic signatures must meet more stringent requirements around verifying the ID of the signer and offering elevated security and safeguards against tampering. An AdES must:
- Have a unique link to the signer
- Be capable of identifying the signer
- Be created using signature creation data under the sole control of the signer
- Establish a link to the signed data that reflects any attempts at subsequent changes
Qualified Electronic Signature (QES)
The QES type is given special legal status across all EU member states. It must meet the standards of the AdES and have the backing of a qualified certificate issued by an EU trust service provider on the current EU Trusted List (ETL). That trust service provider must also have certification from an EU member state. That trust provider assumes responsibility for verifying the signer’s identity and vouching that signatures are authentic.
Other benefits of eIDAS include:
- Elevating the security around electronic transactions done across EU borders, making them more trustworthy
- Enabling transparency and standardization around electronic transactions
- Making sure there is a trail of accountability around electronic transactions
- Using online administrative services to reduce the amount of paperwork required from citizens moving from one member state to another
- Allowing businesses to reduce overhead and increase profits by decreasing the red tape around various transactions
- Letting governments offer citizens more flexibility and convenience in accessing services
The eIDAS legislation also benefits various industries throughout the EU.
Using eIDs and trust services gives companies working in the financial sector the opportunity to expand business opportunities by offering additional protections for online transactions. It also gives companies the ability to enact capabilities to:
- Identify and verify clients opening new accounts from overseas
- Review the risks of a potential business relationship
- Protect against money laundering
- Enable the remote signing of contracts with clients
- Use an electronic registered delivery service to ensure fast, secure exchanges of critical business documents
Secure online transactions are essential for businesses looking to maintain consumer trust and provide a better experience. They benefit from eIDAS by:
- Using eIDs to conduct more stringent identification checks when customers purchase restricted or high-value items
- Reducing costs by implementing digital signatures and timestamps to streamline processes and enable better document tracking
- Using qualified website authentication certificates to prevent data phishing and build customer trust
The guidelines established by eIDAS help the transportation industry by:
- ar-sharing services to use eIDs and trust services to verify a customer’s identity through secure logins to enable remote car unlocking
- reight transport and logistics the opportunity to use the electronic registered delivery service in enable secure digital contract exchanges
- Using eTimestamps to trace issues when there are delays among different carriers
The eIDAS legislation helps those in professional services like lawyers, notaries, accountants and architects build trust with clients by:
- Using eIDs to verify client identities in compliance with Know Your Customer Requirements
- Use eTimestamps and eSignatures on legally binding contractual agreements
- Allow translators to use eSeals to certify the validity of translated documents
What Are the Legal Impacts of eIDAS?
Prior to eIDAS, the EU operated under the eSignatures Directive, established in 1999. That led to a situation where member states came up with their own interpretations. That meant different interpretations of the legality of electronic signatures when members moved from one state to another. The legislation went into effect in September 2014, with new phases gradually rolled out until the full implementation of eIDAS in September 2018.
The eIDAS legislation created a single framework to help the EU build a streamlined electronic signing system meant to push forward the Digital Single Market Initiative. That prevented the denial of electronic documents in court that didn’t bear an advanced or qualified eSignature. Another effect of eIDAS was to give a qualified eSignature the same legal weight as a handwritten signature. However, that doesn’t prevent documents bearing a standard electronic signature from being valid.
How Do Users Access eIDAS Data?
Users keys are held on Qualified Signature Creation Devices (QCSDs). They may be in the form of an eIDAS-compliant smart card or USB token that enable local user sign-on. For remote signing, users access keys held in a Hardware Security Model (HSM) tied to a signing server. Signer keys remain are generated remotely in secure servers.
Timeline for eIDAS
- September 2014 — The eIDAS first goes into the effect.
- September 2015 — Establishes voluntary recognition of eIDS. Additional addons during this phase include creating an interoperability framework, adding eID levels of assurance, establishing the formats for advanced electronic signatures and seals, and lays out the technical specifications for national trust lists.
- July 2016 — The eIDAS formally replaces the eSignature directive. Member states begin issuing certificates to citizens. Certification Service Providers must submit a conformity assessment report within one year to become a qualified Trust Service Provider under eIDAS.
- September 2018 — Recognition of eIDs across borders became mandatory
Additional eIDAS Info & Testing eIDAS
Use the following website to locate eIDAS-compliant Trust Service Providers.
Businesses can use the following resource to gain a better understanding of how to use eIDs in business. It also provides an environment for testing the functionality of eID and trust services.
What is FutureTrust?
FutureTrust is a project meant to address the need to create streamlined global solutions to allow for trustworthiness in online transactions. It’s meant to encourage the development of open-source software components and trust services to ease the path to using eIDS and other signature technology in the real world.
The project also looks to extend the current European Trust List infrastructure into the establishment of a Global Trust list. FutureTrust also hopes to establish an overarching Open Source Validation Service along with a Preservation Service for electronic seals and signatures. The Preservation Service will also make components available for an eID-based application for issuing qualified certificates across all borders and to create trustworthy remote seals and signatures for the mobile environment.
Recent eIDAS News
- FutureTrust releases eIDAS-Portal to kick-off “EU Student Card” and demonstrators for eMandates, eInvoices, and eApotilles
- go.eIDAS establishes formal association and welcomes additional partners
- FutureTrust releases Signature Generation & Sealing Service (SigS) and Validation Service (ValS)
- EU project FutureTrust enters piloting phase
- Deutsche Post AG integrates BSI-certified Open eCard technology into POSTIDENT App
What Are Trust Service Providers?
A natural or legal person charged with creating and preserving digital signatures used for the creation and validation of electronic signatures. They also authenticate signatories and general websites.
Are eSignatures in the EU legal and admissible?
Yes, eIDAS states that courts cannot reject documents on agreements solely for bearing electronic signatures.
What is EUTL?
The European Union Trust Lists (EUTL) is a list of active and legacy Trust Service Providers made available to the public.
What is the Cloud Signature Consortium (CSC)?
The Cloud Signature Consortium (CSC) is made of up academic and industry organization with the goal of establishing a new standard for the use of cloud-based digital signatures. It should allow web and mobile applications to comply with the most stringent electronic signature requirements in countries around the world.
How Do I Get a Certificate-Based Digital ID?
You must reach out to one of the Trust Service Providers on the EU’s Trust List and ensure you meet all requirements to obtain a certificate.